ConvoC2

A stealthy Command-and-Control (C2) infrastructure Red Team tool named ConvoC2 showcases how cyber attackers can exploit Microsoft Teams to execute system commands on compromised hosts remotely.

This innovative project, designed with Red Team operations in mind, uses Teams messages for hidden data exfiltration and command execution, demonstrating a significant security challenge for organizations relying on the Microsoft collaboration tool.

How ConvoC2 Works

ConvoC2 leverages Microsoft Teams as a medium to infiltrate and exfiltrate data covertly. Exploiting hidden tags in Teams messages injects commands for execution on compromised systems.

To exfiltrate data, outputs are hidden within Adaptive Cards’ image URLs, triggering outbound HTTP requests to a C2 server controlled by attackers.

The unique methodology minimizes detection:

  • No direct connection exists between the victim and attacker, as traffic flows through Microsoft’s servers.
  • Antivirus and monitoring tools rarely inspect Teams logs, making this technique stealthier.
  • Even if a user does not accept the attacker’s chat request, the commands are still cached in Teams logs and can be executed.

Architecture and Demonstration

A demonstration video highlights ConvoC2 in action. In the test, two compromised hosts one running the new Teams on Windows 11 and another operating the old Teams on Windows 10—are controlled via the ConvoC2 server.

In some scenarios, the attacker is external to the victim’s organization, emphasizing its cross-org exploitation potential.

Are you From SOC/DFIR Teams? Analyze Malware and Phishing with ANY.RUN’s Interactive Sandbox – Try for Free

Setting Up ConvoC2

Interested in testing this tool? Here’s what ConvoC2 requires:

Install the ConvoC2 Server and Agent:

Set Up a Teams Channel with Incoming Webhooks:

Create a Teams channel and configure a Workflow Incoming Webhook. This acts as the medium to receive Adaptive Cards containing extracted data.

Fetch Victim IDs and Auth Tokens:

Using a web proxy, intercept Teams API requests to obtain the victim’s unique IDs and Bearer token. This allows the server to authenticate and send commands.

Run and Operate the Server:

Using public-facing HTTP traffic on port 80, the server manages connected agents and executes commands on victim systems.

Requirements for Execution

  • Microsoft Teams must be running on the victim’s system (even in the background).
  • A configurable C2 server with HTTP traffic enabled.
  • Basic setup knowledge to configure webhooks and capture IDs/authentication tokens.

For a detailed setup walkthrough, refer to the project’s repository instructions.

ConvoC2 draws inspiration from the earlier research, GIFShell, conducted by Bobbyrsec, which identified vulnerabilities in embedding commands within Base64-encoded GIFs posted in Teams chats.

Though Microsoft has partially addressed those issues, ConvoC2 pioneers an alternative that embeds commands directly in hidden <span> tags within messages, bypassing prior security measures.

Example: Commands are hidden in the aria-label attribute of <span> tags with style="display:none". Microsoft Teams logs these, enabling command execution stealthily.

The developer has outlined several enhancements to improve ConvoC2’s capabilities:

  • Integrating AES encryption for message security.
  • Implementing a keepalive mechanism to detect if an agent is inactive.
  • Adding a PowerShell version of the agent for broader compatibility.

The Developer Invites

ConvoC2 serves as a vital reminder of the evolving landscape of cyber threats. By exploiting a trusted collaboration platform like Microsoft Teams, attackers can achieve unprecedented stealth when carrying out malicious operations. Organizations are urged to:

  • Enhance monitoring of Microsoft Teams environments.
  • Regularly audit server and log activity for unusual patterns.
  • Implement defensive measures such as endpoint detection and response (EDR) tools capable of inspecting Teams logs.

The developer invites the cybersecurity community to contribute improvements to the project or identify potential bugs. Researchers and engineers can submit pull requests via the ConvoC2 GitHub repository.

Collaboration with the community remains a cornerstone for identifying vulnerabilities and strengthening defenses. Stay vigilant, and ensure your organization is prepared for emerging threats like ConvoC2.

2024 MITRE ATT&CK Evaluation Results: ONLY Cynet Delivers 100% Detection & Protection – Download Free Guide

RELATED ARTICLESMORE FROM AUTHOR